Enable 2nd NIC which is unplugged -lose 1st NIC LAN - SBS server 1

[lacasa]

Windows SBS 2003 DC with 2 NICS - One is for LAN, the other is unplugged.

When I setup RRAS last week, no clients could ping server. I discovered by disabling RRAS and 2nd unplugged NIC, I could get clients to see server.

Today I tried enabling the second NIC - still unplugged - without RRAS - and as soon as I did, the clients could not see server.

My goal is to setup a VPN using RRAS. FYI - I reinstalled OS last week and still need to configure email and internet role so this could have something to do with it.

So I need to do some reading, but I am confused why I should lose connection just by enabling an unplugged NIC. Both NICS are set with static IP.

Thanks.

 

[ShackDaddy]

Are both NICs given IPs on the same subnet?

 

[lacasa]

Yes - one is 192.168.0.50, the other 192.168.060

Right now the server, the 5 other clients, and the internet router, are connected to a switch.

I have been reading that two NICS should be in two different subnets. The other is that I should have the following setup with a WAN and LAN.

Internet > SBS Win2003 Server > Switch > All other clients.

So I guess this means that the SBS Server acts as an addtional router? I am still trying to understand what actual happens with two NIC's in the same subnet.

 

[lacasa]

By the way the server is only used as a file server. I did setup exchange in case we share calendars.

 

[milesy]

This may help. I had the same sort of problem about a year ago with a 2000 server. Due to my lack of knowledge, when I was setting IP address for the second NIC I included a Gateway address. This caused all sorts of problems. Elentualy one of the people here helped me out.

Make sure only one NIC has a Gateway entry.



Craig Miles, CCNA

 

[ShackDaddy]

Unless you are running ISA, I wouldn't keep both NICs enabled. Just use one, and try and forget that the other one exists. You don't need it for bandwidth, and trying to separate traffic just increases complexity without a lot of returns for you.

ShackDaddy

 

[lacasa]

Thanks. I just read that as well to not put a gateway on 2nd NIC.

I am trying to setup a VPN using RRAS and my setup incorrect setup started the problem. I have been reading that using RRAS/VPN 2 NIC's is better?

 

[ShackDaddy]

Only if you are going to hang one interface off of the public network, which you are not doing. You aren't using your server as a firewall, so you don't need it. I've set up nine SBS servers in the last 12 months: all of them are set up for VPN, and none of them use an additional NIC. Don't worry about configuring RRAS, either. Just use the SBS wizard to set up the VPN (Remote Access) and make sure the required ports on your router/firewall are passing properly.

ShackDaddy

 

[lacasa]

Should I disable the extra NIC or remove it? Will the SBS wizard assign addresses in the same subnet. My LAN is currently 192.168.1.X. Should I let the SBS wizard assign IP addresses through the SBS server DHCP or list them statically?

How about the configure email and internet connection wizard? Should I use this or just manual settings.

Thanks again. I appreciate your help.

 

[ShackDaddy]

It would be easiest just to disable it. And in the future, if your live adapter stops working reliably, you can switch. The SBS Remote Access Wizard asks you whether you want to use DHCP or not, but in either case, the addresses will be in your local (same) subnet. Feel free to let it use DHCP, but be ready to see 5-10 addresses be taken ahead of time by the RRAS service. So make sure you have enough addresses in your scope.

Any time possible, use the Wizard and not the manual processes. SBS is put together a bit differently, and what makes perfect sense in a normal server environment doesn't always work in SBS. The SBS community generally agree that you should stick with the wizards for setting up all services, and then you can go in to tweak things here and there.

ShackDaddy

 

[lacasa]

Thanks for all you help. I still can't configure VPN.

I disabled the unplugged NIC, ran email and internet connection wizard, selected broadband connection, entered ISP DNS for primary and secondary, the local IP address of router. Selected "uses single network connection" for both internet and LAN. Sever Local Area Connection under Connection Name.

To complete the wizard cleared all check boxes for allowed connections? I also selected disable email as I will not use Exchange for interet email - only local and calendar feature.

Wizard finished without error.

I then ran configure remote access wizard on the To list under server management. It asks for a name. I used myservername.mydomainname.local? When I clicked finish, it gave me an error. I checked the rraslog.txt and the last lines are:

Changing RRAS startup type to automatic returned OK
*** Configuring Remote Access Policy returned ERROR 80072030
Specifying error location returned OK
*** CRRASCommit:: CommitRRAS returned ERROR 80072030
*** CRRASCommit:Commit RRAS returned ERROR 80072030

Any ideas?

If I configure Routing and Remote Access under Admin tools, it setups ok, but I still get error 800 if I try to establish VPN.

Should I be using wizard or just configure through RRAS?

 

[lacasa]

I was just able to get the configure remote access wizard to work. I just completed SP1 update for SBS. That may have something to do with problem. Also named my connection our public IP address.

Still can't VPN in - at least with my internal test - get error 800.

Will try from home later.

 

[lacasa]

At home now. Tried to work then I got an error 628. I need to check my security settings. I noticed in properties of user name that Dial-in changed to "use Remote Access Policy" instead of Allow user.

Need to check on this.

 

[ShackDaddy]

Change to Allow user.

And a general rule of thumb: in SBS, use the wizards whenever possible. It's easier than remembering the six checkboxes and the registry hack. I spent a lot of time in the Windows non-SBS server world and I'm comfortable there, but SBS is really a different animal.

Do you have a firewall in front of your SBS box? And are you using a LinkSys router at home? If you are using a LinkSys router, there are known problems that can be solved either by upgrading (or sometimes downgrading) firmware and/or by enabling VPN-passthrough in the options.

ShackDaddy

 

[lacasa]

I use an Actiontec GT701 at home and at work. I have been able to VPN from home to the SBS server, but had trouble after a remote reboot. The other problem was the RRAS locked out the LAN access to server. I have that solved by following your suggestions, but the VPN now does not work.
Ports 1723 and GRE 47 are forwarded to server IP address.

I tried RDC (without VPN) using the public IP address and I was able to connect and logon. This surprised me as I had not forwarded port 3389. I did note that the basic firewall built into Actiontec was turned off - so I was only behind NAT. Of course this opens up another discussion as far as the security and only using NAT with a VPN? I have since turned the firewall to the high setting and will probably have to forward 3389.

So it appears I can use RDC without VPN, but this is not as secure?? I now I discovered Remote web workplace for Windows 2003 SBS. Maybe I should be using this?

Thanks for your help.